1. Field of the Invention
The present invention relates to data communication using a public key in a network environment.
2. Description of the Prior Art
In public key encryption for data communication in a network, when a sending end transmits data to a receiving end, a pair of a public key and a private key (secret key) is created, and data to be transmitted is encrypted with the private key. Then the encrypted data is transmitted. At the receiving end, the data is decrypted with the public key. Public key infrastructure (PKI) uses the public key encryption and organizes certificate authorities as third parties to issue an electronic certificate (hereinafter referred to as certificate) for verifying the identity of the sending end. A public key to be used for decrypting the certificate is sent through a certificate authority. When the sending end transmits data, it calculates a hash value on the data, and encrypts the data and the hash value with the private key for an electronic signature. Then, the sending end requests the certificate authority to issue a certificate, and the certificate authority creates a pair of a public key and a private key and issues an electronic certificate. In the electronic certificate, information including the public key of the sending end is encrypted with the private key of the certificate authority. The sending end performs an electronic signature to the data by using a hash value, adds the signature to the certificate issued by the certificate authority and sends them as well as the data to a receiving end. The receiving end gets the public key for the certificate from the certificate authority, decrypts the certificate with the public key to get the public key of the sending end. Thus, the identity of the sending end of the electronic signature can be confirmed, and the security is enhanced. Then, the data and the hash value are decrypted with the public key of the sending end. By decrypting the hash value, the forgery of the data can be checked. Further, by decrypting the data, it is verified that the data is sent by the sending end. A user requests a certificate authority to issue a certificate for each created public key. A data communication system which simplifies the issuance of a certificate is described in, for example, Japanese Patent laid open Publication 2001-320356.
In the public key infrastructure (PKI), certificate authorities are organized in a hierarchical structure. Certificate authorities at the highest level are called root certificate authorities. A series of certificates are signed by a series of certificate authorities up to the root certificate authority in a hierarchical order. A certificate of a certificate authority is used for verification of the public key of a subordinate certificate authority in the hierarchical order. Thus, for the verification of a certificate, a chain of certificates or an entire list up to the root certificate authority has to be acquired.
Recently, secure encrypted communication such as Secure Sockets Layer (SSL) communication is needed in a network environment. SSL is a communication protocol for transmitting encrypted data between a web server and a web browser, wherein public key encryption and electronic certificates are used to send data securely. For secure data communication with use of SSL protocol or the like, a server apparatus which sends data needs a certificate. A certificate can be purchased from an external certificate authority which gives a service to issue a certificate. However, in a network such as an intranet, a user would not want to buy an expensive certificate from an authority outside the network only for SSL communication. On the other hand, a certificate may be created by a server apparatus. However, when a certificate created by the server apparatus is used, because the certificate is not issued by a certificate authority, a warning is given in a warning dialog in the screen of the server apparatus to inform the user that the certificate is not trusted. This is because a list of certificates up to the root certificate authority is not available.